IBM QRadar SOAR

• message destination (dev_dest; type = Queue);
• function (dev_test) that is related to this destination (dev_test) with custom field (and without pre/post-process script code);
• workflow that properly calls my function;
• menu-item rule (without conditions) that easily calls this workflow.

------------------------------
Maksym Matviienko
------------------------------

Hi Maksym

Can you provide some more information?  Do you see any information when you hit
Action Menu-> Workflow Status or Action Status?  What does your rule and workflow
look like?  Can you post setup.py and the top of your customize.py (reload function)?


------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Fri October 04, 2019 04:59 AM
From: Maksym Matviienko
Subject: Custom python function

I have followed "IBM Resilient SOAR Platform Function Developer's Guide v34" and tried to implement my own custom python function, but unfortunately stuck.

What was created:

• message destination (dev_dest; type = Queue);
• function (dev_test) that is related to this destination (dev_test) with custom field (and without pre/post-process script code);
• workflow that properly calls my function;
• menu-item rule (without conditions) that easily calls this workflow.

So now I export fresh configuration to use it.

 

resilient-circuits codegen --package fn_dev --function dev_test --messagedestination dev_dest --exportfile /home/integrations/exportfile.res

 

After I execute "codegen", new directory "fn_dev" is created with all template files and subdirectories (as it is described in guide).

I don't make any changes to files and just install this package (fn_dev) so that Resilient Circuits can load it.

 

sudo pip install --editable ./fn_dev/

 

And after I restart resilient, I run resilient-circuits. I can see that service subscribes to my new message destination:

INFO [actions_component] Subscribe to message destination 'dev_dest'

INFO [stomp_component] Subscribe to message destination actions.201.dev_dest

 

However, if I try to call the function from an incident, it shows nothing in log (yes, it is in DEBUG mode).

I can confirm that if I trigger another menu-item rule that only posts transaction data to message destination - it works, but if it is configured to call workflow (with my function) - nothing happens.

Also, I have noticed that directory "/usr/local/lib/python2.7/site-packages/" contains other integrations properly but not mine (fn-dev.egg-link), like:

fn_bigfix

fn_bigfix-1.1.0.dist-info

fn_datatable_utils

fn_datatable_utils-1.0.0.dist-info

fn-dev.egg-link

fn_ldap_utilities

fn_ldap_utilities-1.0.0.dist-info

fn_utilities

fn_utilities-1.0.10.dist-info

 

I'm almost sure that some more steps are needed to be done, but what exactly?

 

By the way, next command did not help to resolve an issue:

resilient-circuits customize -l fn_dev

------------------------------
Maksym Matviienko
------------------------------

So we know that there was a step missed somewhere if the function is not running.

Here are some starting questions to narrow down the issue:
------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message:
Sent: Fri October 04, 2019 04:59 AM
From: Maksym Matviienko
Subject: Custom python function

I have followed "IBM Resilient SOAR Platform Function Developer's Guide v34" and tried to implement my own custom python function, but unfortunately stuck.

What was created:

• message destination (dev_dest; type = Queue);
• function (dev_test) that is related to this destination (dev_test) with custom field (and without pre/post-process script code);
• workflow that properly calls my function;
• menu-item rule (without conditions) that easily calls this workflow.

So now I export fresh configuration to use it.

 

resilient-circuits codegen --package fn_dev --function dev_test --messagedestination dev_dest --exportfile /home/integrations/exportfile.res

 

After I execute "codegen", new directory "fn_dev" is created with all template files and subdirectories (as it is described in guide).

I don't make any changes to files and just install this package (fn_dev) so that Resilient Circuits can load it.

 

sudo pip install --editable ./fn_dev/

 

And after I restart resilient, I run resilient-circuits. I can see that service subscribes to my new message destination:

INFO [actions_component] Subscribe to message destination 'dev_dest'

INFO [stomp_component] Subscribe to message destination actions.201.dev_dest

 

However, if I try to call the function from an incident, it shows nothing in log (yes, it is in DEBUG mode).

I can confirm that if I trigger another menu-item rule that only posts transaction data to message destination - it works, but if it is configured to call workflow (with my function) - nothing happens.

Also, I have noticed that directory "/usr/local/lib/python2.7/site-packages/" contains other integrations properly but not mine (fn-dev.egg-link), like:

fn_bigfix

fn_bigfix-1.1.0.dist-info

fn_datatable_utils

fn_datatable_utils-1.0.0.dist-info

fn-dev.egg-link

fn_ldap_utilities

fn_ldap_utilities-1.0.0.dist-info

fn_utilities

fn_utilities-1.0.10.dist-info

 

I'm almost sure that some more steps are needed to be done, but what exactly?

 

By the way, next command did not help to resolve an issue:

resilient-circuits customize -l fn_dev

------------------------------
Maksym Matviienko
------------------------------

The problem was found: in "Workflow Status" menu my workflow was running (from the first time when I deployed it), that's why it was not possible to call it again. I terminated that process, restarted circuits and my custom action button works well now, and resilient log confirms that!
All log messages are displayed when circuits starts (in the same order):

Thanks a lot for help!

------------------------------
Maksym Matviienko
------------------------------

Original Message:
Sent: Mon October 07, 2019 01:33 PM
From: Jared Fagel
Subject: Custom python function

So we know that there was a step missed somewhere if the function is not running.

Here are some starting questions to narrow down the issue:

1. What is the output of: sudo pip install --editable ./fn_dev/        ?

2. Switch DEBUG back to INFO, it's too verbose for starting a troubleshoot, and restart circuits.

3. When you restart circuits, do you see this in the start-up messages:

INFO [component_loader] 'fn_dev.components.dev_test.FunctionComponent' loading

4. Do you then see this a bit later in the start-up messages:

INFO [actions_component] 'fn_dev.components.dev_test.FunctionComponent' function 'dev_test' registered to 'fn_dev'

5. Do you see this a bit later then:

INFO [actions_component] Subscribe to message destination 'dev_dest'

6. What appears when you run the workflow in the "Action Status" view (with all 4 options selected, ie pending/completed/error/timeout)?

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility

Original Message:
Sent: Fri October 04, 2019 04:59 AM
From: Maksym Matviienko
Subject: Custom python function

I have followed "IBM Resilient SOAR Platform Function Developer's Guide v34" and tried to implement my own custom python function, but unfortunately stuck.

What was created:

• message destination (dev_dest; type = Queue);
• function (dev_test) that is related to this destination (dev_test) with custom field (and without pre/post-process script code);
• workflow that properly calls my function;
• menu-item rule (without conditions) that easily calls this workflow.

So now I export fresh configuration to use it.

 

resilient-circuits codegen --package fn_dev --function dev_test --messagedestination dev_dest --exportfile /home/integrations/exportfile.res

 

After I execute "codegen", new directory "fn_dev" is created with all template files and subdirectories (as it is described in guide).

I don't make any changes to files and just install this package (fn_dev) so that Resilient Circuits can load it.

 

sudo pip install --editable ./fn_dev/

 

And after I restart resilient, I run resilient-circuits. I can see that service subscribes to my new message destination:

INFO [actions_component] Subscribe to message destination 'dev_dest'

INFO [stomp_component] Subscribe to message destination actions.201.dev_dest

 

However, if I try to call the function from an incident, it shows nothing in log (yes, it is in DEBUG mode).

I can confirm that if I trigger another menu-item rule that only posts transaction data to message destination - it works, but if it is configured to call workflow (with my function) - nothing happens.

Also, I have noticed that directory "/usr/local/lib/python2.7/site-packages/" contains other integrations properly but not mine (fn-dev.egg-link), like:

fn_bigfix

fn_bigfix-1.1.0.dist-info

fn_datatable_utils

fn_datatable_utils-1.0.0.dist-info

fn-dev.egg-link

fn_ldap_utilities

fn_ldap_utilities-1.0.0.dist-info

fn_utilities

fn_utilities-1.0.10.dist-info

 

I'm almost sure that some more steps are needed to be done, but what exactly?

 

By the way, next command did not help to resolve an issue:

resilient-circuits customize -l fn_dev

------------------------------
Maksym Matviienko
------------------------------